Using Act! 365 to comply with GDPR

Important: This information is not legal advice, and does not cover all of the ways in which the GDPR can impact your business. We recommend working with a legal specialist to help you fully assess your business requirements for the GDPR, and ensure compliance. This document contains public sector information available on the Information Commissioner Office’s website (ICO). More information on the ICO is available here.

GDPR stands for the General Data Protection Regulation. GDPR will govern the use by organisations of personal information of any individual resident in the European Union. It comes into force on 25 May 2018, when it will replace the Data Protection Act 1998.

Defining Personal Data Personal data is any data which can be used by itself, or combined with other data to identify an individual. Under GDPR, the term ‘personal data’ is defined more widely than it was under the DPA – and takes into account a wide range of things that could identify a person such as unique identification names/numbers, IP addresses, online behavioural data and location data.

Much of the information about individuals (as opposed to companies and similar organisations) that you record in a CRM system is likely to be considered “personal data” under GDPR. Hence, it’s of paramount importance that you ensure that data creation, storing, management and use, is done in a compliant manner. It’s not only important to keep the data secure, but you also have to make sure that it is only kept for as long as it is needed.

Controllers and processors An organisation which determines how and for what purposes personal data is processed is called a ‘controller’. A processor processes personal data on behalf of a controller. The GDPR place legal obligations on controllers. Processors also have obligations, for example to keep records of processing that has taken place.

Territorial Scope The GDPR applies to all organisations established in the European Union (EU), as well as organisations processing personal data of EU citizens, even if the organisation is outside the EU.By recording an individual’s country of residence in Act! 365, you can quickly identify records which have rights under the GDPR. A grouping of these records can also be created for quick and easy reference.

Data Protection Principles Similar to the Data Protection Act which GDPR supersedes, there are 6 Data Protection Principles which govern how an individual’s data can be used. Personal data must be:

• Used fairly, lawfully and transparently. • Collected for specified purposes, and then used in way that is compatible with those purposes. • Used in a way that is adequate, relevant and the use limited to what is necessary for the specified purposes.

These first requirements are very closely related. Act! 365 can’t fully control or limit how you use personal data, but it can help you to keep track of how Users are interacting with Contacts. You can ensure contact data is used in a way that is adequate by tracking your opt-outs from emarketing campaigns in Act! 365.

Your business must determine its own policy for what constitutes obsolete or redundant data, as well as defining processes around identifying and managing these records. Act! 365 can help you put this into practice in a number of ways:

By recording Create Dates of records and using Activities to track the last interactions. These can be used to determine if it is still necessary to keep the record. For example, users can make decisions based on the dates of the last interaction with a Contact.

Data Loss Prevention The Act! 365 Server is backed-up on a daily basis, backups are retained for a period of 30 days. We can recover your database to help prevent accidental loss, destruction or damage. For more information and to discuss pricing please contact the Customer Success Team via the Community Forum.

Lawful Basis for Processing Organisations need a lawful basis to process data. This was very similar under the DPA, though accountability for, and transparency about using, any basis is now more important. There are six lawful bases for processing. In this document we only cover the lawful basis of consent. However, at least one of the other bases are likely to be as relevant a basis for processing, if not more so, as consent. The content at this page of the ICO website is very helpful to determine the bases on which an organisation can rely.

These are:

Consent

Individuals must give this clearly and in relation to a specific process.

Contract

Processing is necessary for a contract or to enter into one.

Legitimate interests

The processing is necessary for your interests, or some other parties- unless there is a good reason to protect the individual’s personal data which is more important than those interests.

Legal obligations

Not including contractual ones.

Vital interests

To save someone’s life.

Public task

This will only apply to public sector organisations.

Consent Consent is often used as a lawful basis in relation to processing for marketing purposes. It must be a freely given, specific, informed and unambiguous indication of the individual’s wishes. There must be some form of clear affirmative action – or in other words, a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes or inactivity. Consent must also be separate from other terms and conditions, and you will need to provide simple ways for people to withdraw consent. Consent has to be verifiable, and you need to build in methods for individuals to exercise their rights about giving consent. “You are not required to automatically refresh all existing DPA consents in preparation for the GDPR. But if you rely on individuals’ consent to process their data, make sure it will meet the GDPR standard on being specific, granular, clear, prominent, opted-in, properly documented and easily withdrawn. If not, alter your consent mechanisms and seek fresh GDPR-compliant consent, or find an alternative to consent.”

The section below will assist in managing consent given via Emarketing opt out and opt-in.

There is more information available on Consent as a lawful basis for processing in the following article from the ICO website here .

Individual Rights GDPR expands on the rights an individual has over how their personal data can be used.

The right to be informed Similar information as under the DPA needs to be provided when collecting individuals’ data with additions. The information you supply is determined by whether or not you obtained the personal data directly from individuals and is set out in a detailed table on the ICO's web pages. Much of the information you should supply is consistent with your current obligations under the DPA, but there is some further information you are explicitly required to provide. The information you supply about the processing of personal data must be:

• Concise, transparent, intelligible and easily accessible • Written in clear and plain language, particularly if addressed to a child • Free of charge.

Whatever data you gather, individuals need to be kept updated. They need to know what personal information you’re storing and what you’re going to do with it. All communication with your clients on this subject must be straightforward and free of charge to access.

Through customisation, a field can be created in Act! 365 to record that the appropriate information has been given to the individual whose details are recorded in a Contact record. For example a Date Box or Yes/No field (check/tick box) could be created to note that appropriate information has been given, and when. A drop down could specify the source of permission given (e.g. on phone call, web contact form, etc).

Users of Act! 365 should consider implementing a process which governs the provision of information to individuals who fill in forms, and recording when and how that information was given.

The right of access This is similar to the position under the DPA, but information must now be provided free of charge, unless the request is ‘manifestly unfounded or excessive’, when a reasonable fee can be charged. In summary, information must be provided without delay and within one month of receipt. There is an obligation to verify the identity of the individual making the request using “reasonable means”. Requests made in electronic format should be provided in a commonly used format. There is a best practice recommendation that, “where possible, organisations should be able to provide remote access to a secure self-service system which would provide the individual with direct access to his or her information (Recital 63). This will not be appropriate for all organisations, but there are some sectors where this may work well.”

Data held within Contact fields can also be exported to CSV format for easy sharing with a customer, you can also extract information on Opportunities and Activities through the Act! 365 API.

The right to rectification Individuals are entitled to have personal data rectified if it is inaccurate or incomplete. This must be done within a month with the possibility for an extension if the request is complex. If no action is being taken, that must be explained to the individual, along with their rights to complain. Third parties to which data have been passed must also rectify the data. Act! 365 enables a record to be made of the request to rectify, for example as an Activity. The create date of the Activity will be stored. Follow ups to the request can be recorded as an additional Activity for a specified User. Act! 365 can be used to record where information has been shared with a third-party to facilitate contacting them should this be erased. A process should be put in setting out the steps an employee must take when they receive a request for rectification.

The right to erasure Also known as the right to be forgotten. This right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing. Individuals have a right to have personal data erased and to prevent processing in specific circumstances given in the GDPR. Third parties to which data have been passed must also be informed. Act! 365 allows the deletion of Contact records, which will in turn delete all entries and data associated with the record.

Act! can be used to record where information has been shared with a third party to facilitate contacting them should this be erased. A process should be put in place around any information passed to third parties.

The right to restrict processing Like with the DPA, individuals have a right to block processing of personal data. When processing is restricted, you are permitted to store the personal data, but not further process it. You can retain just enough information about the individual to ensure that the restriction is respected in future. A Custom Field can be used to track the customer’s preference on no processing. This would need to be manually adhered to by users of Act! 365.

The right to data portabilityIndividuals may obtain and reuse their personal data for their own purposes across different services. The processor has to respond within a month. They should be able to move copy or transfer data from one IT service to another, securely and without hindrance. The personal data must be provided in an open format that is structured, commonly used and machine readable. You may have to transmit the data to another organisation if that is technically feasible. You shouldn’t prejudice the rights of others, e.g. by disclosing third party data.

The right to object From the perspective of using Act! 365, the relevant rights based on which individuals may object are:

Processing based on legitimate interests (including profiling)

Direct marketing (including profiling).

If a processor processes personal data for the performance of a legal task or the organisation’s own personal interests, an individual can object based on ‘grounds relating to his or her particular situation’. The organisation must stop unless there is compelling legitimate grounds for the processing which override the rights of the individual, or the processing is for exercising legal claims.

Individuals must be informed of their right to object at the point of first communication and in the privacy notice. As now, this notice must be brought explicitly to the attention of the data subject and be presented clearly and separately from any other information.

If the processing activities are carried out online, there must be a way for individuals to object online. As this is an important area we suggest you read the Information Commissioner’s guidance in full, which can be found here.

Within emarketing, recipients have the ability to opt-out in the footer of the email they receive as part of your campaign. The impact of this is explained in this article.

Can recipients opt back in to my campaigns?Should your recipient opt-out in error or wish to receive your emails again, they can opt back in to your campaigns. You should follow the process detailed in the article below to remove an opt-out .

How do I import an existing opt-out list in to Act! 365 emarketing?If you have previously used another emarketing service or have kept a manual list of your opt-outs you can provide them to us in CSV format by contacting Technical Support and we can add them to your account. We will confirm once the opt-outs have been added to your account. You can contact our Customer Success team via the Community Forum.

Although the above will assist you managing opt-outs via emarketing, Act! can also be used to allow you to track opt-outs for other methods of contact such as SMS or postal mail. You are able to track this via custom fields in Act!. There are details on creating custom fields and adding them to your layout in the two articles below.

Accountability and governanceGDPR requires that organisations put into place comprehensive but proportionate governance measures. The ICO says that to demonstrate compliance an organisation must:

“Implement appropriate technical and organisational measures that ensure and demonstrate that you comply. This may include internal data protection policies such as staff training, internal audits of processing activities, and reviews of internal HR policies

maintain relevant documentation on processing activities

where appropriate, appoint a data protection officer

use data protection impact assessments where appropriate

Implement measures that meet the principles of data protection by design and data protection by default. Measures could include:

data minimisation;

pseudonymisation;

transparency;

allowing individuals to monitor processing; and

creating and improving security features on an ongoing basis.

Organisations can also adhere to approved codes of conduct and/or certification schemes.”

DocumentationAs part of GDPR, you may be required to produce evidence of your compliance. This can be helped by documenting decisions you have made about using someone’s data. Find out more information here.Act! 365 has a number of features which can help you to record decisions made about the use of personal data:

Act! 365 can help with documenting compliance by providing the ability to store evidence of compliant processing activity. For example, an Activity entry made by the user, you could also include a link to a hosted file. This would require user training about compliance requirements and how those requirements affect the use of Act! 365.

The following article explains how to link a relevant document/file to a Contact:

Organisations with less than 250 employees must keep records about higher risk processing activities such as processing data which could: result to a risk to rights and freedoms of individuals; or special categories of data; or relating to criminal offences.

Guidelines are available for organisations who need to keep such records and the ICO has indicated that exemptions may be put in place for SMBs. As mentioned above in relation to compliance, Act! may be used to help as a document store in appropriate circumstances.

Data protection by design and defaultThere is a general obligation on processors to implement technical and organisational measures to show they have considered and integrated data protection into their data processing activities and processes. Privacy by design “is an approach to projects that promotes privacy and data protection compliance from the start. The ICO encourages organisations to ensure that privacy and data protection is a key consideration in the early stages of any project, and then throughout its lifecycle. For example when:

building new IT systems for storing or accessing personal data;

developing legislation, policy or strategies that have privacy implications;

embarking on a data sharing initiative; or

using data for new purposes.”

A Data Protection Impact Assessment should be carried out when considering the use of new technology. The Information Commissioner has a Code of Practice explaining how to use Impact Assessments. Carrying out one should “reduce the risks of harm to individuals through the misuse of their personal information. It can also help you to design more efficient and effective processes for handling personal data”.

Codes of conduct and certification schemesA separate section on codes of conduct and certification which gives guidelines on how these may be used by organisations to demonstrate they comply with various elements of the GDPR.

It should be noted that these codes of conduct and certifications need to be endorsed by the UK Information Commissioner’s Office (ICO) (if an organisation has determined the ICO is their relevant supervisory authority). At the time of writing (April 2018) we are not aware of the ICO’s approval of any code of conduct or certification which would be relevant to the use of Act! 365.

For more details, the relevant section of the ICO’s site can be found here.

Each organisation must implement compliance processes, for example documenting compliance and carrying our Impact Assessments. They should also adopt relevant procedures to put in place the measures to meet the principles of data protection by design and default. Organisations should consult the ICO’s website for more information and work with consultants as appropriate to ensure they put in place and maintain the appropriate governance measures.

The following information is provided for information and completeness only. For all the following aspects of GDPR compliance, Act! is most likely to be useful for storing documentation which helps demonstrate compliance with the GDPR, though the section at the end includes information about how Act! 365 can help with processing data relating to children.

Appointing a Data Protection OfficerThis is required in certain circumstances. Regardless of whether an organisation is obliged to appoint a Data Protection Officer (DPO), s/he must have sufficient skills and resource to comply with GDPR and other relevant privacy obligations. The DPO’s minimum required tasks are defined on the ICO website here.

Security of personal dataPersonal data must be processed securely by taking appropriate technical and organisational measures. You should do a proportionate risk analysis and put in place relevant organisational policies and take appropriate technical and physical measures. Anonymization and encryption should be considered. Systems and services must keep personal data confidential and secure and maintain its integrity. Back-ups should be made to enable lost data to be restored. Whatever measures are put in place should be tested and any necessary improvements made.

Transfer of data outside the EUPersonal data can only be transferred when specified conditions are met. There are a number of schemes that have been put in place by regulatory bodies, following decisions of the European Commission. There are exceptions to the general prohibition for certain specific circumstances – when the transfer is:

made with the individual’s informed consent;

necessary for the performance of a contract between the individual and the organisation or for pre-contractual steps taken at the individual’s request;

necessary for the performance of a contract, made in the interests of the individual, between the controller and another person;

necessary for important reasons of public interest;

necessary for the establishment, exercise or defence of legal claims;

necessary to protect the vital interests of the data subject or other persons, where the data subject is physically or legally incapable of giving consent; or

made from a register which under UK or EU law is intended to provide information to the public (and which is open to consultation by either the public in general or those able to show a legitimate interest in inspecting the register).

Breach notificationData processing organisations have an obligation to notify the relevant supervisory organisation of breaches if it is likely to result in a risk to the rights and freedoms of individuals – a breach which if nothing is done will have a significant detrimental impact on individuals. If, for example, it could result in discrimination, damage to reputation, financial loss, loss of confidentiality or other significant economic or social disadvantage. Individuals effected must also be notified when that risk is high.Notification must be made to supervising authorities within 72 hours, and if necessary, to individuals without undue delay. Failing to do so can result in a significant fine, up to €10M or 2% global turnover.You should take steps to educate staff about the notification requirements and put in place relevant measure to identify internal breaches, investigate them and report on them.

Application of GDPR to ChildrenIf your company offers its products or services to children then you might need to get the consent of their parents or guardians before collecting or processing any of their data. Under GDPR, only a person aged 13 or over can give their own consent. More information about this can be obtained from the relevant page of the ICO website. Using Act! 365 you can store the age against every new contact and then perform a search to identify children for whom you have a record. You can then take appropriate steps to process those children’s information in line with GDPR requirements.